10-17-2012 12:59 PM
It seems no matter what group I add an account to the ldap memberOf finds it except for the Domain Users group. Is there a specific exclusion of this group somewhere? It doesn't appear to be an issue with the space in the name because if I test with other default groups like Domain Admins it works. I am getting the same result from both the ldap attribute map as well as trying to use the Domain Users group in a DAP policy. A debug ldap 255 returns every other group membership for an account except for Domain Users.
When I issue the command 'sh ad-group LDAP filter "Domain " ' the Domain Users group is in the results list, so it is able to see it and it exists.
Solved! Go to Solution.
10-18-2012 06:37 AM
Please see the attached link under primaryGroupID, which states that the Domain Users group is not part of the memberOf attribute. http://msdn.microsoft.com/en-us/library/ms677943.aspx That explains why the mapping fails for any Domain Users as seen in the debugs
10-18-2012 06:37 AM
Please see the attached link under primaryGroupID, which states that the Domain Users group is not part of the memberOf attribute. http://msdn.microsoft.com/en-us/library/ms677943.aspx That explains why the mapping fails for any Domain Users as seen in the debugs
10-18-2012 06:49 AM
Thanks for the info. Based on your input I have created 2 different DAPs, one using the primaryGoupID of 513 to capture the standard account Domain Users and one that uses memberOf = Domain Users for any accounts that might have had there primaryGroupID changed. It seems to be working.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: